A data diode (also referred to as a unidirectional network) is a network device, assimilated to a network security layer, allowing data to travel only in one direction by isolating and protecting networks from external cyber-threats. The travel can be achieved from the "low side" (untrusted network) to the "high side" (trusted network), or viceversa.
In the first case, data in the high side network is kept confidential: the high side can receive data from the low side, but no data on the high side can leak to the low side. In the second case, data can be emitted by the system at the high side to the low side network, while the system and data located at the high side remains protected from any modification from the low side network, thus protecting integrity.
The purpose of a data diode is thus to:
At the difference of using firewalls to force a unidirectional traffic, in a data diode the unidirectional connection is physical. Also, those firewalls need complex rules,a heavy configuration and lots of maintenance whilst the data diode has only one rule guaranteed by its physical connection. Hence the connection remains unidirectional even if both the low and the high networks are compromised.
This is usually achieved using a modified fiber-optic network link, where send and receive transceivers are removed or disconnected for one direction, like on the example below.
This kind of simple data diode can only transmit packets received on the RJ45 interface. Hence it is only useful if used with a switch that performs data mirroring.
Most data diodes are therefore built using two additional servers (one at each end of the diode). These servers allow to:
In practice, those servers can run on minimalist computer devices like a Raspberry PI. That way, the whole data diode can be presented as a compact single box.
Data diodes can be used for multiple purposes:
This technology is usually used by military domains and power generation infrastructures.
FEF is a part of the IEEE 802.3u standard (fas mr-1t Ethernet). When a media converter stops receiving a signal, it will stop emitting as well, thus bringing the connection down in both directions and notifying the end-users that the connection is disabled. This feature is present on most media converters. Some of them allow the FEF to be disabled. For a data diode built with two media converters using the FEF, one of them do not receive any signal (see figure below) and is consequently unable to emit. The solution to this issue is to add a third media converter and connect it to the other media converters.
The data diode allowing only unidirectional traffic, ACK packets cannot be received. The network protocol that must be used is thus the UDP protocol instead of the TCP protocol. Higher level network protocols must therefore be based on UDP and work in a unidirectional way too.
This protocol needs the receiving-end to be able to answer to the ARP requests from the emitting-end. But the ARP broadcasted request cannot be answered in a network that implements a data diode. Static ARP entries must be configured to overcome this issue.
For this project we implemented a data diode in order to study the capabilities of such devices.
Our data diode offers: